
DATA MANAGEMENT SYSTEM AND METHOD 
Background of the Invention 

1. Field of the Invention 

The present invention generally relates to a secure system and method for 
5 managing potentially confidential data. In particular, the present invention relates 
to a system and method for managing data so that access to the data is controlled 
and confidentiality of the data is ensured. 

2. Background Art 

In several industries, such as banking and insurance, a good statistical 
10 understanding of several types of data is either vital, or at least crucial for 
economic success. For example, actuarial charts are an extremely valuable 
resource to the insurance industry. In this case, the data sets are so large that 
precise data modeling can be done. Moreover, since the essential elements of 
information that need to be taken into account are not confidential, data sharing 
15 among market participants is somewhat common. Typically, the distributions 

describing such data have so called "thin tails," which generally means that events 
quite different from the most typical events are extremely rare. As a consequence 
of this and other characteristics that allow for better statistical analysis, premium 
pricing can be done so that it is both attractive to customers and profitable for 
20 insurers. 



CHA920010022US1 



1 




In contrast, other types of data (e.g., operational risk data) are considered 
sensitive, and as such, are rarely reported. Usually, the distributions that capture 
these types of data have fat tails (i.e., abnormally many extreme events). 
"Operational Risk" relates to the risk of direct or indirect loss resulting from 
5 inadequate or failed internal processes, people and systems, or from external 
events. This type of risk is typically linked to events that institutions such as 
banks prefer to keep confidential (e.g., hacking on their systems, failure due to 
man or a machine to complete a trade, etc). Thus, companies that would benefit 
from sharing data about operational risk to augment the quality of important 
10 statistics cannot do so because of the confidentiality breaches that sharing would 
imply. 

Heretofore, attempts have been made to use a third party to collect such 
sensitive data. However, a problem connected with third party collection is 
directly linked to the lack of control of the third party. Specifically, the third 

15 party usually does not obtain all of the necessary data. Moreover, access to the 
data in these instances (e.g., by employees of the third party) is often not 
controlled. Thus, confidential details are at risk of being exposed. 

In view of the foregoing, there exists a need for a secure system and 
method for managing confidential data so that the data can be analyzed and 

20 remain confidential. Moreover, a need exists for a system and method in which 
access to data is limited to only approved or authorized entities. A further need 
exists for a system and method in which confidential details in received data can 
be readily identified and concealed. Another need exists for a system and method 
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in which confidential details that have become non-confidential can be identified 
and exposed. 

Summary of the Invention 

In general, the present invention provides a data management system and 
5 method. Specifically, under the present invention, encrypted data is received 
from providers at randomly generated time intervals. Once received, the data is 
decrypted, and any confidential details contained therein are identified and 
concealed. The data is then stored for statistical analysis with all data (including 
confidential data) being accessible for analysis as long as the confidentiality of the 
10 data is not compromised. Periodically, the stored data can be updated by 
identifying and exposing any confidential details that have become non- 
confidential Access to the data is limited to entities designated as "authorized." 
Thus, even entities such as system owners, administrators, etc. may not be able to 
gain access. 

15 According to a first aspect of the present invention, a data management 

system is provided. The system comprises: (1) an access control system for 
limiting access to the data management system to authorized entities; (2) a data 
confidentiality system for identifying and concealing confidential details in 
received data; (3) a data storage system for storing the received data; and (4) a 

20 data update system for examining stored data to identify and expose non- 
confidential details. 
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According to a second aspect of the present invention, a data management 
system is provided. The system comprises: (1) an access control system for 
limiting access to the data management system to authorized entities; (2) a data 
decryption system for receiving and decrypting received operational risk data; (3) 
5 a data confidentiality system for identifying and concealing confidential details in 
the received data; (4) a data storage system for storing received data after the 
confidential details have been concealed; (5) a data update system for examining 
stored data to identify and expose non-confidential details; (6) a program approval 
system for approving systems for analyzing the stored data; and (7) a key security 

1 0 system for protecting encryption keys. 

According to a third aspect of the present invention, a method for 
managing data is provided. The method comprises: (1) receiving data in a 
secured manner from an authorized provider; (2) identifying and concealing 
confidential details in the received data; (3) storing the received data; and (4) 

15 updating the stored data by identifying and exposing non-confidential details in 
the stored data. 

According to a fourth aspect of the present invention, a program product 
stored on a recordable medium for managing data is provided. When executed, 
the program product comprises: (1) an access control system for limiting access to 
20 the data management system to authorized entities; (2) a data confidentiality 
system for identifying and concealing confidential details in received data; (3) a 
data storage system for storing the received data; and (4) a data update system for 
examining stored data to identify and expose non-confidential details. 
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Therefore, the present invention provides a data management system and 
method. 



These and other features of this invention will be more readily understood 
5 from the following detailed description of the various aspects of the invention 
taken in conjunction with the accompanying drawings in which: 

Fig. 1 depicts a data management system according to the present 
invention. 

Fig. 2 depicts a computer system of the data management system having a 
10 data protection system and a data analysis system 

Fig. 3 depicts the data protection system of Fig. 2. 
Fig. 4 depicts an approval process for a data analysis system. 
The drawings are merely schematic representations, not intended to 
portray specific parameters of the invention. The drawings are intended to depict 
15 only typical embodiments of the invention, and therefore should not be considered 
as limiting the scope of the invention. In the drawings, like numbering represents 
like elements. 



In general, the present invention provides a data management system and 
20 method. As indicated above, data sharing can be extremely helpful in many fields 
of industry. However, certain types of data are sensitive and include details that 



Brief Description of the Drawings 



Detailed Description of the Invention 
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an organization may wish to keep confidential. To date, this has prevented the 
free sharing of data among organizations. One type of sensitive data is known as 
"operational risk" data, which typically relates to the risk of loss resulting from 
failure within the organization itself (e.g., losses resulting from computer 
hacking). In this case, an organization may wish/need to report its loss from an 
operational risk, but also wish to conceal its identity. Still other types of data are 
required to be kept confidential by law, for reason of market advantage, or good 
security public image protection. 

One scenario involving sensitive data arises where organizations leverage 
information descriptive of a particular market (the market being defined as the set 
of conditions under which participants exchange products). The knowledge of 
market information is useful to all, as it enables individuals to optimize their 
transactions. However, the information is often comprised of contributions that 
need to remain confidential, as no one wishes to reveal the particular conditions 
under which they transact. Examples of this data type include: (1) quotes in 
illiquid financial markets; (2) credit pricing information; and (3) insurance claims 
data. 

Another scenario involving sensitive data is where each actor, together 
with specific industry organizations, leverages information descriptive of how 
other companies operate (including the business assumptions they make) to 
optimize or facilitate their own operations or trading conditions, or in the case of 
industry organizations, to develop rules or services beneficial to the industry. 
Examples of this data type include: (1) losses incurred as a result of operating or 
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operational risks, as was discussed above; and (2) analysis results of information 
publicly available or accessible such as statistical data used in insurance 
industries, sectorial analysis used in banking and finance industries, company and 
industry ratings, etc. 

5 The present invention provides a way for organizations to report these and 

other types of sensitive data so that confidential details remain confidential, yet all 
parties in a group of members can perform analyses on the confidential data as 
long as analyses results are presented to requesters in such a way that no 
confidentiality of data is breached. The present invention also limits access to the 

10 data so that only "approved" or "authorized" entities can gain access (as will be 
described in further detail below). It should be appreciated that although the 
present invention is preferably used to manage operation risk data, any type of 
sensitive data could be managed. 

Referring now to Fig. 1, a data management system 10 in accordance with 

15 the present invention is shown. As depicted, data management system 10 

includes secure layer 13, computer systems 1 1, and databases 22. In a typical 
embodiment, certain computer systems 1 1 are responsible for managing certain 
databases 22. Specifically, some computer systems 1 1 may control databases 22 
that include only encrypted data, while other computer systems 1 1 may control 

20 databases 22 that have either encrypted or decrypted data. In general, computer 
systems 1 1 are field programmable, physically and logically secure computational 
devices such as the IBM 4758 PCI Cryptographic Coprocessor. Specifically, such 
systems 1 1 should be tamper resistant, tamper evident, tamper sensitive, tamper 
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reactive and programmable. Secure layer 13 is a tamper resistant, tamper 
reactive, tamper sensitive, and tamper evident cryptography generator 
programmable hardware (with a processor or a coprocessor). This ensures that 
access to data management system 10 is limited to only authorized entities. It 
5 should be appreciated that the depiction shown in Fig. 1 is illustrative only, and 
that the quantity of computer systems 1 1 and/or databases 22 could vary. 

Referring now to Fig. 2, a more detailed view of data management system 

10 is shown. As depicted, data management system 10 includes computer system 

1 1 (only one computer system 1 1 is shown for clarity purposes), which generally 
10 comprises memory 12, input/output (I/O) interfaces 14, a central processing unit 

(CPU) 16, external devices/resources 18, bus 20, and database 22. Memory 12 
may comprise any known type of data storage and/or transmission media, 
including magnetic media, optical media, random access memory (RAM), read- 
only memory (ROM), a data cache, a data object, etc. Moreover, memory 12 may 

15 reside at a single physical location, comprising one or more types of data storage, 
or be distributed across a plurality of physical systems in various forms. CPU 16 
may likewise comprise a single processing unit, or be distributed across one or 
more processing units in one or more locations, e.g., on a client and server. 

I/O interfaces 14 may comprise any system for exchanging information 

20 to/from an external source. External devices 18 may comprise any known type of 
external device, including a CRT, LED screen, hand-held device, keyboard, 
mouse, voice recognition system, speech output system, printer, facsimile, pager, 
personal digital assistant, cellular phone, web phone, etc. Bus 20 provides a 
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communication link between each of the components in the computer system 1 1 
and likewise may comprise any known type of transmission link, including 
electrical, optical, wireless, etc. In addition, although not shown, additional 
components, such as cache memory, communication systems, system software, 
5 etc., may be incorporated into computer system 1 1 . 

Database 22 could provide storage for information necessary to carry out 
the present invention. Such information could include, among other things, a 
table that identifies: (1) data and statistics; (2) relevant confidentiality laws; (3) 
policies governing confidentiality and data authentication; (4) rules governing 

10 access to the data management system 10; and (5) member information. As 

shown in Fig. 1, database 22 may include one or more storage devices, such as a 
magnetic disk drive or an optical disk drive. In another embodiment database 22 
includes data distributed across, for example, a local area network (LAN), wide 
area network (WAN) or a storage area network (SAN) (not shown). Database 22 

1 5 may also be configured in such a way that one of ordinary skill in the art may 
interpret it to include one or more storage devices. 

Stored in memory 12 are a data protection system 24 and a data analysis 
system 26. Data protection system 24 includes various systems for protecting 
data submitted by providers 28 and requested by requesters 30. Referring to Fig. 

20 3, a more detailed view of data protection system 24 is shown. A depicted, data 
protection system 24 includes: (1) access control system 40; (2) data decryption 
system 42; (3) confidentiality system 44; (4) data storage system 46 (5) data 
update system 48; (6) data verification system 50; (7) program approval system 
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52; (8) key security system 54; (9) backup and recovery system 56; and (10) data 
retrieval system 58. 

Data will be submitted to data management system 10 by authorized 
(members) providers 28, and subsequently decrypted by data decryption system 
5 42. Whether provider 28 is authorized to submit data can be verified by access 
control system 40 based upon rules or protocols stored in database. Specifically, 
upon attempting to submit data, access control system 40 will first verify that 
provider 28 has the right to do so (i.e., is an authorized provider member). If not, 
the data will be rejected by data management system 10. In general, data is 

10 submitted to data management system 10 by approved providers according to 
randomly generated time intervals. Specifically, a random number 
generated/created by a provider 28 will cause a message to be composed at 
random (or with desired content) and sent to data management system 10 in an 
encrypted format. The message will request from the data management system 10 

15 that it ask all providers 28 to submit a message of at least length L. Data 

decryption system 42 will decrypt the message, determine a new length L' at least 
equal to length L, and send a message to all providers 28 requesting data updates 
(new events and/or complements of previous data). All providers 28 will then 
send encrypted messages of length L' to data management system 10, which data 

20 decryption system 42 will decrypt. Some of the messages may contain actual 
data, while others may be empty to help deter eavesdropping. 

As will be described in further detail below, all communication between 
providers 28 and data management system 10 is secure (as well as communication 
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between requesters 30 and data management system 10). To this extend, private 
lines or couriers carrying data can be used, as well as public systems such as the 
Internet. In either event, protocols to protects against traffic analysis should be 
provided. In addition, communication is preferably encrypted to protect against 
5 eavesdropping and other attacks. Further, providers 28 can delay submitting data 
until the next time they provide a message at random so that deviations from 
statistical distributions cannot be detected. The process can also be modified so 
that while sending messages of length L', any provider 28 can embed a request for 
another round of data submission with a different length. A further modification 
10 allows providers 28 to request extra length L", wherein L' ' is be determined at 
random. 

Preferably the data submitted (i.e., in length L') by each provider 28 

should have a particular format (e.g., XML). One example of a data message is 

shown below: 

15 S : Provider name A 

N: Event identification number (known also by provider "A" for further 
information flows as needed) 
T: Date of the event 

T: Location (or list of locations) of the event 
20 N: Nature of the event (as specified for instance by a number, or a 

collection of numbers as described below) 

N: Is the event primary or is it a consequence of another event or chain of 

events? 

N: Equipment involved (as specified for instance by a collection of 
25 numbers as described below) 

T: Brands and designation of all pieces of equipment involved 
N: Time elapsed between event and discovery 
T: Chain of events arising from this event 

T: Mitigation description (as specified for instance by a number, or a 
30 collection of numbers as described below) 

N: Estimated cost associated to the event 

T: Estimated cost associated to the chain of events the event belongs to 
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In this example, "S" means the data is secret, "T" means the data is 
temporarily secret and/or possibly secret as described below, and "N' ? means the 
data is not secret. All data, secret or otherwise can be accessed by the data 
analysis system 26 to perform analyses and prepare reports. The nature of events 
5 can be specified according to numbers such that sets of events may get listed by 
assigned numbers. As time passes, a better understanding can lead to finer 
segmentation so that a cascade or list of numbers can then designate events. Also, 
the events can be grouped, and the groups grouped can be grouped and so on, so 
that events are designated by themselves, their groups, etc. This provides several 

10 levels of resolution for different statistical analyses. 

The equipment associated with any event can be designated by using 
hierarchical groupings of numbers, or equivalently, by using a tree. Event 
mitigation can also be advantageously designated by sequences of numbers, 
which designate them progressively more and more precisely. 

15 When data is received, data decryption system 42 will decrypt the data and 

confidentiality system 44 will identify and conceal any confidential details. This 
is generally accomplished by parsing the data and securing/encrypting any data 
marked "S" or "T." One example of a secret detail could be if a hack is reported 
on a bank in a small city in the Philippines. If the city has only one bank, the 

20 name of the city could be kept confidential so that the identity of the bank will not 
be known. Irrespective of this concealment, the details could still be used in 
statistical modeling as long as the confidentiality thereof is not compromised. For 
example, if statistics are gathered relating to hacks on banks in the Philippines, 
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the data (e.g., financial loss) for the bank whose city was concealed will be 
considered without compromising the confidentiality of the concealed detail(s). 
The concealed details may be used in some cases, for example, if statistics are 
requested about events in small cities, and there are events associated with several 
5 small cities, the name of the city will be used to determine that the associated data 
has to be considered, but the name of the city will not be revealed. While such 
data remains at least temporarily secret, it may be replaced in some reports by less 
precise data that does not divulge the bank's identity or other information meant 
to remain secret. For example, a regional location of banks (e.g., the entire 

10 Philippines) could be used until enough local banks are formed so that divulging 
the city name does not divulge a particular bank's identity. 

In addition to being designated by provider 28 with an "S" or "T" (or 
similar indicator), confidential details could be identified according to internal 
policies and/or laws. For example, local laws or internal policies may require that 

15 certain details are kept confidential. In such an instance, confidentiality system 
44 will conceal these details. The protection of confidentiality under the present 
invention is intended to be such that no entity lacking authorization (including 
e.g., a system administrator or owner) can have access to the confidential data. 
This protection extends to scenarios involving destruction of the apparatus, using 

20 any known methods for confidentiality and code breaking, etc. Under the present 
invention, either the secret will be absolute for real time technology attacks (as the 
data will be re-encrypted and destroyed as technology advances), or keys to 
access some of the data as described in some warrants will be provided to 
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government or regulatory bodies agents (where several agents may need to act 
together to ensure better security, according to well known practices in all forms 
of security). 

Once any confidential details are concealed, data storage system 46 will 
5 store the data in database 22. Thereafter, data update system 48 will periodically 
update the stored data. Updating data includes both augmentation of data with 
new data as well as de-stripping of data. In the case of the latter, some details that 
were concealed as being confidential may no longer be confidential In such 
instances, data update system will identify and expose the non-confidential 

10 details. This type of data is referred to above as secret or temporarily secret. One 
example of this could be where the number of banks in the city in Philippines 
passes a certain threshold (e.g., as dictated by system policies), the name of the 
city might no longer be confidential. The data could also be updated by data 
update system 48 for accuracy and also completed as a better understanding of the 

15 events reveals relevant facts that where not previously provided. For example, the 
cost and/or cause of an event may take time to be definitively determined. All 
such updates, whether about new facts or not, will be easily associated with the 
right event by using the event identification number. 

Data verification system 50 verifies the accuracy of data from providers 

20 28. Specifically, false data is difficult to extract accurate statistics from and 
serves no useful purpose. Accordingly, the present invention provides a 
mechanism that seriously deters intentionally inaccurate data. One such 
mechanism is to perform spot or random checks of the data and/or provider 28. 
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For example, data verification system 50 could associate a random integer number 
N(A,k) to any provider "A", with N(A,k) at most equal to some upper bound UB 
for the k th lapse of time of duration T, thus: 

N(A,k) < UB between times (k-l)T and kT. 
5 For instance, T may be a year or a quarter. Then, at time kT, N(A,k) events 
reported by provider "A" are chosen at random, and agents, possibly from some 
regulatory body, are given the data reported by provider "A" about these events, 
and can perform any necessary inquiries. Part of the protection against false data 
can be achieved by automatic sensing and reporting of the events in data 

10 verification system 50. In this case, the sensors and communication means should 
be tamper resistant, tamper evident, tamper sensitive, and tamper reactive. In 
some industries, the participants of a data pool may prefer to expect that all other 
participants will act with good faith honesty rather than have the exposure to even 
limited control, as described above. 

15 Program approval system 52 authorizes the use of a data analysis system 

26 for analyzing data collected by data management system 10. Specifically, as 
shown in Fig. 1, computer system 11 could be provided with a software program 
(i.e., data analysis system) that can manipulate the provided data. However, 
before a particular system 26 can be implemented, permission could be required. 

20 In a typical embodiment shown in Fig. 4, a group of experts 100 could create a 
new data analysis system 26. This data analysis system 26 is circulated among the 
member entities 100A-F and each signs a well-defined hash of the data analysis 
system 26. The data analysis system 26 with all member signatures is then sent to 
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the data management system 10, where all signatures are checked before the data 
analysis system 26 is accepted. Requests for actions of the existing program will 
similarly carry all needed signatures. In some case, copies of such requests will 
be kept by all members who can request the corresponding analysis at will, and 
5 unknowingly from the others. In other cases, all or some members must sign the 
inquiry just before it is made, or once for any inquiry with no control of the actual 
time of use. Validity of the signatures and their authority level will be checked 
with a tool such as Tivoli Policy Director. 

On some occasions, a proposed data analysis system might provide low 

10 value results because the way in which it performs analyses, and/or presents 

analyses results, compromises the confidentiality of the data. On such occasions, 
combinations of policy changes and modification(s) of the data analysis system 
will be tested on "fake" data until a threshold is reached where desired 
confidentiality is preserved, yet the data analysis system provide useful 

15 information. 

As indicated above, access to data management system 10 is controlled by 
access control system 40 (Fig. 3). Specifically, access control system 40 ensures 
that only authorized entities can interact with system 10, In a typical 
embodiment, different classes of entities could be provided, as governed by 
20 internal rules. For example, non-member entities (i.e., the system owner or 

administrator) may only have permission to administer data management system 
10 but not to access analyses reports or data. Moreover, some member entities 
(e.g., provider members or requester members) may have access only to provide 
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data or request data analyses. Alternatively, some entities might have "full 
member rights" access to data management system 10 whereby such members can 
interact with all aspects of system 10. Typically, only full rights members can 
determine whether a particular data analysis system 26 can be implemented on 

5 data management system 10. In one embodiment of the present invention, no 
entity (member or non-member) can access the data itself. In another 
embodiment, only entities with special permission can access the data. In yet 
another embodiment, only government or regulatory agents can access the data 
with special keys (as will be further described below). In such an instance, 

10 several agents could be required to act in concert for access to be granted. 

Alternatively, the agents could be required to be acting pursuant to a warrant for 
access to be granted. 

Data protection system 24 is also provided with key security system 54, 
which protects encryption/decryption keys used for data received from providers 

15 28 as well as those for concealing confidential details of received data. In a 

typical embodiment, key security system 54 will destroy any keys upon a breach 
of system 10. Such a function is provided by reactive systems such as the IBM 
4758, and can be augmented by extra equipment for surveillance and means of 
destruction of the machine. 

20 Backup and recovery system 56 allow data to remain intact in the event of 

system 10 failure. In addition, backup and recovery system 56 provides 
redundancy so that soon after a local attack or failure, the original level of 
security is restored (as will be further described below). All secure hardware that 
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maintains the keys and guards against any undesired access to data should 
preferably come in multiple copies, disseminated in various locations sufficiently 
remote from each other and protected against global destruction. One way to 
provide such redundancy is to have series of machines such as the IBM 4758 
5 recognize each other as uncorrupted machines using their machine generated 
master keys, and then collectively determine common actual master keys for the 
rest of the operations. This can be accomplished by randomly electing a master 
machine, or by using a system such as a Diffie-Hellman session. This system of 
utilizing secure machines could also provide an access key for agents of the 

10 government or regulatory bodies (as described above). Typically, multiple keys 
that need to be activated simultaneously would be needed for such access. Many 
scenarios can be used to generate such special access keys. For instance, the keys 
could be given once to appropriate agencies, or an agency could request that some 
minimal number of participants be granted access to the system 10 or data (e.g., if 

15 a warrant is issued). Collectively, these and other key methods can be used to 
control access data management system 10 and data stored therein. In any event, 
the use of secure way machines that are tamper resistant, tamper evident, tamper 
sensitive, tamper reactive (in erasing their key when an attack is detected,) and 
programmable ensures the confidentiality of data. 

20 Data retrieval system 58 provides a mechanism for requesters 30 to gain 

access stored and/or analyzed data. Specifically, data retrieval system 58 
provides a way for requestors 30 to access data analysis system 26, or the results 
thereof, to obtain information (e.g., data, statistics, etc.). As indicated above, 
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however, access data analysis system 26 is limited by access control system 40 to 
authorized requestors. On example of an approved requestor 30 could be an 
organization that has been the victim of an event that resulted in lost profits. In 
such an event, requestor 30 could access data to identify possible solutions for the 
5 loss. Such solutions could include, for example, organization, technological, 
and/or financial solutions. For example, requestor 30 could obtain a list of 
qualified repairmen. 

It should be understood that all systems 40-58 of data protection system 24 
could be implemented as hardware, software, manpower, or any combination 
10 thereof. 

Referring back to Fig. 1, communication with data management system 10 
occurs via communication links 32. Communications links 32 can include a 
direct terminal connected to the data management system 10, or a remote 
workstation in a client-server environment. In the case of the latter, the client and 

15 server may be connected via the Internet, wide area networks (WAN), local area 
networks (LAN) or other private networks. The server and client may utilize 
conventional token ring connectivity, Ethernet, or other conventional 
communications standards. Where the client is connected to the system server via 
the Internet, connectivity could be provided by conventional TCP/IP sockets- 

20 based protocol. In this instance, the client would utilize an Internet service 

provider outside the system to establish connectivity to the system server within 
the system. 
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It is understood that the present invention can be realized in hardware, 
software, or a combination of hardware and software. Moreover, computer 
systems 1 1 according to the present invention can be realized in a centralized 
fashion in a single computerized workstation, or in a distributed fashion where 
different elements are spread across several interconnected systems as shown in 
Fig. 2 (e.g., a network). Any kind of computer/server system(s) - or other 
apparatus adapted for carrying out the methods described herein - is suited. A 
typical combination of hardware and software could be a general purpose 
computer system with a computer program that, when loaded and executed, 
controls computer system 1 1 such that it carries out the methods described herein. 
Alternatively, a specific use computer, containing specialized hardware for 
carrying out one or more of the functional tasks of the invention could be utilized. 
The present invention can also be embedded in a computer program product, 
which comprises all the features enabling the implementation of the methods 
described herein, and which - when loaded in a computer system - is able to carry 
out these methods. Computer program, software program, program, or software, 
in the present context mean any expression, in any language, code or notation, of 
a set of instructions intended to cause a system having an information processing 
capability to perform a particular function either directly or after either or both of 
the following: (a) conversion to another language, code or notation; and/or (b) 
reproduction in a different material form. 
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Hereinabove, two scenarios involving sensitive data were discussed. A 
third scenario involves situations where law, regulation, or practice directly or 
indirectly prevents disclosure of a link between pieces of information and the 
identity of providers. Examples of this include: (1) where entities are required to 
maintain "Chinese Walls" between various activities; and (2) where countries 
prohibit that company or customer-related information is exported outside their 
territory. 

With respect to the first example, the policy/requirement for a "Chinese 
Wall" may be reformulated (based upon the benefits of present invention) so as to 
allow data to be exploited under the present invention and to allow commercial 
propositions corresponding to the appropriate lines of business to be sent through 
those business units (without informing the agents how the decision was made to 
formulate the propositions). Specifically, an automatic Customer Relationship 
Management (CRM) tool could run inside of the entity's "Chinese Wall" and 
verify, before making any conclusion, whether the entity has allowed for these 
systems. For verification, cases from which all personal information has been 
removed will be provided by the system to agents responsible for the system's 
efficient running. 

In addition, counters could be used to limit the number of commercial 
conclusions and proposals the CRM tool would draw for any entity. An incentive 
for the entity to have some analysis made would be that multiple registrations of a 
given individual through multiple lines of business would be matched as 
belonging to the same person. As consequences emanate from several lines of 
business, this person would be addressed only once, and in the case of similar but 
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different campaigns, a choice of one may be enforced to ensure the individual is 
not submerged. 

With regard to the second example, the fact that confidential data is never 
disclosed under the present invention, may allow a regulator to correspondingly 
5 modify the rules. For instance, banks in country "X" may benefit from data 
about operational risk in Business to Business (B2B) exchanges from other 
countries, which they would not access without participating in the pools of data. 
The present invention may provide incentive for modifying the rules with the 
consent of the B2B markets participants who would thus, obtain better services 

10 while being guaranteed that data they wish to keep confidential remains as such. 

Thus, the present invention allows data analysis on possibly scarce but 
nonetheless confidential data. This analysis permits operational risk mitigation by 
developing and making available data about protection, diagnosis methods, 
correction tools, methods, and experts. This is so that a member victim of an 

15 event will be able to access solutions that could include organizational, 
technological, financial (new types of insurance policies for instance), etc. 
For example, a list of expert repairmen/repair organizations with proper 
credentials could be accessed. In this example, the present invention could 
incorporate ratings of repair organizations while not compromising confidential 

20 details of previous engagements. 

In addition, the present invention also permits the building of backups of 
infrastructures at the level for instance of cities, states, countries or beyond, to 
ensure the overall resiliency of an industry to large scale natural, accidental, or 
criminal events. Accordingly, the present invention can be an essential tool to 
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build elements enabling total resiliency of an industry where data and methods 
need some level of confidentiality. The fact that the present invention allows data 
to be shared without breaching confidentiality should also allow governing 
bodies, or commonly allocated funds, to fund redundancy components of the 
5 global infrastructure of markets. 

The foregoing description of the invention has been presented for purposes 
of illustration and description. It is not intended to be exhaustive or to limit the 
invention to the precise form disclosed, and obviously, many modifications and 
variations are possible. Such modifications and variations that may be apparent to 
10 a person skilled in the art are intended to be included within the scope of this 
invention as defined by the accompanying claims 



Claims 



1. A data management system, comprising: 
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an access control system for limiting access to the data management 
system to authorized entities; 

a data confidentiality system for identifying and concealing confidential 
details in received data; 

a data storage system for storing the received data; and 

a data update system for examining stored data to identify and expose non- 
confidential details. 

2. The system of claim 1, further comprising: 

a data decryption system for decrypting received data; 
a data verification system for verifying an accuracy of received data; 
a program approval system for approving systems for analyzing the stored 
data; and 

a key security system for protecting encryption keys. 

3. The system of claim 1, wherein stored data is analyzed with a data analysis 
system. 

4. The system of claim 3, wherein the data analysis system is permitted to analyze 
the stored data based upon approval by full rights members of the data 
management system. 

5. The system of claim 1, wherein data management system is a tamper resistant, 
tamper evident, tamper sensitive, tamper reactive, and programmable system. 
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1 6. The system of claim 1, wherein the received data and the stored data are 

2 operational risk data. 

1 7. The system of claim 1, wherein the system mitigates operational risk. 



2 generated time interval. 

1 9. The system of claim 1, wherein the confidential details cannot be accessed by 

2 any entity. 

1 10. The system of claim 1, wherein the confidential details can only be accessed 

2 by a plurality of entities acting in concert. 

1 11. The system of claim 1 , further comprising a customer relationship 

2 management tool for verifying a policy of an entity. 



12. A data management system, comprising: 



8. The system of claim 1, wherein data is received based upon a randomly 
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2 an access control system for limiting access to the data management 

3 system to authorized entities; 

4 a data decryption system for receiving and decrypting received operational 

5 risk data; 

6 a data confidentiality system for identifying and concealing confidential 

7 details in the received data; 

8 a data storage system for storing received data after the confidential details 

9 have been concealed; 

1 0 a data update system for examining stored data to identify and expose non- 

11 confidential details; 

12 a program approval system for approving systems for analyzing the stored 

13 data; and 

14 a key security system for protecting encryption keys. 

1 13. The system of claim 12, wherein stored data is analyzed with a data analysis 

2 system. 

1 14. The system of claim 1 3, wherein the data analysis system is permitted to 

2 analyze the stored data by the program approval system based upon approval by 

3 full rights members of the data management system. 
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15. The system of claim 12, wherein a provider submits the operational risk data 
to the data management system, and wherein a requester accesses the stored data. 
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1 16. A method for managing data, comprising: 

2 receiving data in a secured manner from an authorized provider; 

3 identifying and concealing confidential details in the received data; 

4 storing the received data; and 

5 updating the stored data by identifying and exposing non-confidential 

6 details in the stored data. 

1 17. The method of claim 16, further comprising: 

2 decrypting the received data, prior to the identifying step. 

3 verifying an accuracy of the received data; 

4 approving a system for analyzing the stored data; and 

5 protecting encryption keys. 

1 18. The method of claim 16, further comprising analyzing the stored data with a 

2 data analysis system. 

1 19. The method of claim 1 8, further comprising approving the data analysis 

2 system based upon approval by full rights members. 
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1 20. A program product stored on a recordable medium for managing data, which 

2 when executed, comprises: 

3 an access control system for limiting access to the data management 

4 system to authorized entities; 

5 a data confidentiality system for identifying and concealing confidential 

6 details in received data; 

7 a data storage system for storing the received data; and 

8 a data update system for examining stored data to identify and expose non- 

9 confidential details. 

1 2 1 . The program product of claim 20, further comprising: 

2 a data decryption system for decrypting received data; 

3 a data verification system for verifying an accuracy of received data; 

4 a program approval system for approving systems for analyzing the stored 

5 data; and 

6 a key security system for protecting encryption keys. 

1 22. The program product of claim 20, further comprising a data analysis system 

2 for analyzing the stored data. 

1 23. The program product of claim 20, wherein the data analysis system is 

2 approved by full rights member. 
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1 24. The program product of claim 20, wherein the received data is operational risk 

2 data. 
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